ABAC Decision Recycling with Dynamic Policy Change

Abstract

Abstract: Attribute-based access control (ABAC) becomes one of the most prominent access control models, as it is flexible and highly expressive. However, in ABAC, the burdened policy query tasks of policy decision point (PDP) and the communication between the PDP and policy enforcement point (PEP) affect the efficiency of access control decision making. Recycling of access control decision results is an effective solution for the above problem. This paper proposes an approach of access control decision recycling for ABAC, which supports dynamic policy change, with policy recycling. The presented approach specifies how to create and update the cache of the access control decision and how to make precise and approximate access control decisions based on the contents of the cache. Finally, we verify the feasibility and effectiveness of the approach by a prototype system test. Test results show that the presented approach can shorten the decision time of the access control system and reduce the burden of the PDP.

Key words: attribute-based access control, closed-world policy, open-world policy, hybrid policy, decision recycling

Gulbostan Akim, Nurmamat Helil. ABAC Decision Recycling with Dynamic Policy Change[J]. Computer and Modernization, 2022, 0(10): 47-54.

References ［28］

［1］	SANDHU R S, SAMARATI P. Access control: Principle and practice［J］. IEEE Communications Magazine, 1994,32(9):40-48.
［2］	SANDHU R S, COYNE E J, FEINSTEIN H L, et al. Role-based access control models［J］. Computer, 1996,29(2):38-47.
［3］	FERRAIOLO D F, SANDHU R S, GAVRILA S, et al. Proposed NIST standard for role-based access control［J］. ACM Transactions on Information and System Security, 2001,4(3):224-274.
［4］	房梁,殷丽华,郭云川,等. 基于属性的访问控制关键技术研究综述［J］. 计算机学报, 2017,40(7):1680-1698.
［5］	KUHN D R, COYNE E J, WEIL T R. Adding attributes to role-based access control［J］. Computer, 2010,43(6):79-81.
［6］	CRAMPTON J, WILLIAMS C. Attribute expressions, policy tables and attribute-based access control［C］// Proceedings of the 22nd ACM on Symposium on Access Control Models and Technologies. 2017:79-90.
［7］	WEI Q, RIPEANU M, BEZNOSOV K. Authorization using the publish-subscribe model［C］// Proceedings of the 2008 IEEE International Symposium on Parallel and Distributed Processing with Applications. 2008:53-62.
［8］	KINI P, BEZNOSOV K. Speculative authorization［J］. IEEE Transactions on Parallel and Distributed Systems, 2013,24(4):814-824.
［9］	程相然,陈性元,张斌,等. 基于属性的访问控制策略模型［J］. 计算机工程, 2010,36(15):131-133.
［10］	周加根,叶春晓,罗娟. ABAC策略语义表示和决策方法［J］. 计算机工程与应用, 2013,49(23):56-62.
［11］	FERRAIOLO D, GAVRILA S, KATWALA G. A system for centralized ABAC policy administration and local ABAC policy decision and enforcement in host systems using access control lists［C］// Proceedings of the 3rd ACM Workshop on Attribute-Based Access Control. 2018:35-42.
［12］	钟子超. ABAC安全策略的优化研究［D］. 西安:西安电子科技大学, 2019.
［13］	MOLLOY I, DICKENS L, MORISSET C, et al. Risk-based security decisions under uncertainty［C］// Proceedings of the 2nd ACM Conference on Data and Application Security and Privacy. 2012:157-168.
［14］	SONG L H, LI M C, ZHU Z K, et al. Attribute-based access control using smart contracts for the Internet of things［J］. Procedia Computer Science, 2020,174:231-242.
［15］	IYER P, MASOUMZADEH A. Mining positive and negative attribute-based access control policy rules［C］// Proceedings of the 23rd ACM on Symposium on Access Control Models and Technologies. 2018:161-172.
［16］	DAS S, SURAL S, VAIDYA J, et al. Policy adaptation in hierarchical attribute-based access control systems［J］. ACM Transactions on Internet Technology, 2019,19(3). DOI: 10.1145/3323233.
［17］	〖JP+2〗BEZNOSOV K. Flooding and recycling authorizations［C］// Proceedings of the 2005 Workshop on New Security Paradigm. 2005:67-72.
［18］	BEZNOSOV K. Recycling authorizations: Toward secondary and approximate authorizations model (SAAM)［R］. University of British Columbia, 2005.
［19］	CRAMPTON J, LEUNG W, BEZNOSOV K. The secondary and approximate authorization model and its application to Bell-LaPadula policies［C］// Proceedings of the 11th ACM Symposium on Access Control Models and Technologies. 2006:111-120.
［20］	REEJA S L. Role based access control mechanism in cloud computing using co-operative secondary authorization recycling method［J］. International Journal of Emerging Technology and Advanced Engineering, 2012,2(10):444-450.
［21］	陈阳,赵琛,窦燕,等. 基于角色访问控制模型的缓存机制研究［J］. 计算机工程, 2006,32(12):142-144.
［22］	WEI Q, RIPEANU M, BEZNOSOV K. Cooperative secondary authorization recycling［C］// Proceedings of the 16th International Symposium on High Performance Distributed Computing. 2007:65-74.
［23］	WEI Q, CRAMPTON J, BEZNOSOV K, et al. Authorization recycling in RBAC systems［C］// Proceedings of the 13th ACM Symposium on Access Control Models and Technologies. 2008:63-72.
［24］	KOHLER M, BRUCKER A D. Access control caching strategies: An empirical evaluation［C］// Proceedings of the 6th International Workshop on Security Measurements and Metrics. 2010:57-64.
［25］	YASEEN Q, ALTHEBYAN Q, JARARWEH Y. PEP-side caching: An insider threat port［C］// Proceedings of the 2013 IEEE 14th International Conference on Information Reuse & Integration (IRI). 2013:137-144.
［26］	HU V, FERRAIOLO D, KUHN D R, et al. Guide to attribute based access control (ABAC) denition and considerations［R］. National Institute of Standards and Technology, 2014.
［27］	OASIS. The extensible access control markup language (XACML) version 3.0 plus Errata 01［DB/OL］. (2017-07-12)［2021-11-22］. http://docs.oasis-open.org/xacml/3.0/errata01/os/xacml-3.0-core-spec-errata01-os-complete.html.
［28］	韩舒艳,努尔买买提·黑力力. 选择性隐藏树型访问结构的CP-ABE方案［J］. 计算机工程, 2020,46(7):150-158.